This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Renewing a CA-Signed Certificate in a Keystore
A digital certificate has a validity period, after which the certificate expires. Once a certificate expires, it is no longer valid, and it can cause the client-server communication to fail at the SSL handshake level. Therefore, it is important to plan certificate renewal ahead of time. Neglecting certificate renewal can eventually lead to a catastrophic situation such as major service outage.
Following are the high level steps you need to follow to renew an expired certificate in a keystore.
Following are a few important points to keep in mind when you are renewing an expired certificate:
- Use the same certificate authority that you used when you first got the public certificate. If you use a different certificate authority for certificate renewal, you will have to import the new CA-certificate as well as the intermediate certificates to the keystore and the client’s trust store.
If the certificate authority’s certificate is not in the keystore, you will get the following error when you try to import the CA-signed certificate to the keystore:
keytool error: java.lang.Exception: Failed to establish chain from reply
To overcome the above error, be sure to first import the CA-signed certificate as well as the intermediate certificates to the keystore in the correct order.
Now let's take a look at each high level step in detail.
Step 1: Check the validity period of the certificate
Follow one of the steps below to view the validity period of a certificate:
- If you have a public hostname, go to https://www.sslshopper.com/ssl-checker.html and specify the hostname of your server. SSL hopper lists all the information about the server certificate.
If you have a java keystore, execute the following keytool command to view the certificate information:
keytool -list -keystore <keystore_name.jks> -alias <cert_alias> -v
This prompts for the keystore password. Once you specify the password, you can view the certificate information in a human readable format where the validity period is displayed as follows:
Valid from: Sun Jun 18 19:26:25 IST 2017 until: Sat Jun 19 19:26:25 IST 2027
If you have the certificate file, execute the following openssl command:
x509 -in <certname.cer> -text -noout
This displays the validity as follows:
Validity Not Before: Jun 18 13:56:25 2017 GMT Not After : Jun 19 13:56:25 2027 GMT
- If it is a website, you can view the certificate information via the browser. All major browsers provide the capability to view certificate information.
Once you view the validity period of a certificate and if it says that the certificate is about to expire or has already expired, the next step you should generate a Certificate Signing Request (CSR) and get a new certificate generated from the CA.
Step 2:Â Generate a certificate signing request
Depending on the type of keystore you have, follow one of the steps below to generate a CSR:
If you have a java keystore, execute the following command:
keytool -certreq -alias <cert_alias> -file <CSR.csr> -keystore <keystore_name.jks>
Note
If you want generate a CSR with a subject alternative name (SAN), be sure to use the -ext attribute in the keytool command to specify required SAN.
Following is a sample keytool command that includes a SAN:
keytool -certreq -alias test -file test.csr -keystore test.jks -ext SAN=dns:test.example.com
If you have the private key and public key, execute the following command:
openssl x509 -x509toreq -in <cert_name.crt> -out <CSR.csr> -signkey <private_key.key>
Once you generate the CSR, you need to submit the CSR to your certificate authority to get a new CA-signed certificate.
For testing purposes you can go to http://www.getacert.com/signacert.html and submit your CSR to obtain a new CA-signed certificate for free.
After you obtain a new certificate, you have to import the new certificate to a keystore if you are using a java keystore.
Step 3:Â Import the new certificate to a keystore
Execute the following command to import a new certificate to a keystore:
keytool -import -v -trustcacerts -alias <current_alias> -file <ca_signed_cert.cer> -keystore <keystore_name.jks>
If you want to view information related to the renewed certificate, execute the following keytool command:
keytool -list -keystore <keystore_name.jks> -alias <cert_alias> -v